Skip to content

QLowEnergyControllerPrivateBluez: guard against malformed replies

Heiko Becker requested to merge heikobecker/qtconnectivity:work/backport-CVE-2025-23050 into kde/5.15

The QLowEnergyControllerPrivateBluez::l2cpReadyRead() slot reads the data from a Bluetooth L2CAP socket and then tries to process it according to ATT protocol specs.

However, the code was missing length and sanity checks at some codepaths in processUnsolicitedReply() and processReply() helper methods, simply relying on the data to be in the proper format.

This patch adds some minimal checks to make sure that we do not read past the end of the received array and do not divide by zero.

This problem was originally pointed out by Marc Mutz in an unrelated patch.

Pick-to: 6.5 5.15 Change-Id: I8dcfe031f70ad61fa3d87dc9d771c3fabc6d0edc Reviewed-by: Alex Blasche alexander.blasche@qt.io Reviewed-by: Juha Vuolle juha.vuolle@qt.io (cherry picked from commit aecbd657) Reviewed-by: Qt Cherry-pick Bot cherrypick_bot@qt-project.org (cherry picked from commit 53e99167)

(cherry picked from commit 465e3f31)

Merge request reports